'''EncFS''' is a userspace stackable cryptographic file-system similar to [[System_Encryption_with_eCryptfs|eCryptFS]], and aims to secure data with the minimum hassle. It uses [[FUSE]] to mount an encrypted directory onto another directory specified by the user. It does not use a loopback system like some other comparable systems such as [[TrueCrypt]] and [[System_Encryption_with_LUKS|dm-crypt]].

+

'''EncFS''' is a userspace stackable cryptographic file-system similar to [[eCryptfs]], and aims to secure data with the minimum hassle. It uses [[FUSE]] to mount an encrypted directory onto another directory specified by the user. It does not use a loopback system like some other comparable systems such as [[TrueCrypt]] and [[dm-crypt with LUKS|dm-crypt]].

EncFS is definetely the simplest software if you want to try disk encryption on Linux.

EncFS is definetely the simplest software if you want to try disk encryption on Linux.

Line 13:

Line 17:

This particular method of securing data is obviously not perfect, but there are situations in which it is useful.

This particular method of securing data is obviously not perfect, but there are situations in which it is useful.

−

===Comparison to eCryptFS===

+

For more details on how EncFS compares to other disk encryption solution, see [[Disk Encryption#Comparison table]].

−

[[System_Encryption_with_eCryptfs|eCryptFS]] is implemented in kernelspace and therefore little bit harder to configure. You have to remember various encryption options (used cyphers, key type, etc...), in EncFS this is not the case, because EncFS is storing these informations in it's signature so you don't have to remember anything (except the passphrase :-). But it's authors claims that eCryptFS is faster because there's no overhead caused by context switching (between kernel and userspace).

+

+

==Comparison to eCryptFS==

+

[[System_Encryption_with_eCryptfs|eCryptFS]] is implemented in kernelspace and therefore little bit harder to configure. You have to remember various encryption options (used cyphers, key type, etc...), in EncFS this is not the case, because EncFS is storing these informations in it's signature so you do not have to remember anything (except the passphrase :-). But it's authors claims that eCryptFS is faster because there is no overhead caused by context switching (between kernel and userspace).

==Installation==

==Installation==

−

Install the {{package Official|encfs}} package using [[pacman]]:

+

Install the {{Pkg|encfs}} package using [[pacman]]:

# pacman -S encfs

# pacman -S encfs

Line 23:

Line 29:

To create a secured repository, type:

To create a secured repository, type:

$ encfs ~/.DIRNAME ~/DIRNAME

$ encfs ~/.DIRNAME ~/DIRNAME

−

This will be followed by a prompt about whether you want to go with the default (paranoid options) or expert configuration. The latter allows specifying algorithms and other options. The former is a fairly secure default setup. After entering a key for the encryption, the encoded file-system will be created and mounted. The encoded files are stored, in this example, at {{filename|~/.DIRNAME}}, and their unencrypted versions in '''{{filename|~/DIRNAME}}'''.

+

This will be followed by a prompt about whether you want to go with the default (paranoid options) or expert configuration. The latter allows specifying algorithms and other options. The former is a fairly secure default setup. After entering a key for the encryption, the encoded file-system will be created and mounted. The encoded files are stored, in this example, at {{ic|~/.DIRNAME}}, and their unencrypted versions in '''{{ic|~/DIRNAME}}'''.

To unmount the file-system, type:

To unmount the file-system, type:

Line 29:

Line 35:

To remount the file-system, issue the first command, and enter the key used to encode it. Once this has been entered, the file-system will be mounted again.

To remount the file-system, issue the first command, and enter the key used to encode it. Once this has been entered, the file-system will be mounted again.

−

==User friendly mounting==

==User friendly mounting==

Line 35:

Line 40:

===Mount using CryptKeeper trayicon===

===Mount using CryptKeeper trayicon===

Quite simple app, just install from AUR and add to your X session:

Quite simple app, just install from AUR and add to your X session:

−

* http://aur.archlinux.org/packages.php?ID=12743

+

* https://aur.archlinux.org/packages.php?ID=12743

===Mount at login using pam_encfs===

===Mount at login using pam_encfs===

Pam module

Pam module

−

* http://aur.archlinux.org/packages.php?ID=2759

+

* https://aur.archlinux.org/packages.php?ID=2759

* http://pam-encfs.googlecode.com/svn/trunk/README

* http://pam-encfs.googlecode.com/svn/trunk/README

* http://pam-encfs.googlecode.com/svn/trunk/pam_encfs.conf

* http://pam-encfs.googlecode.com/svn/trunk/pam_encfs.conf

Line 46:

Line 51:

====Single password====

====Single password====

−

Note that if you will use same password (eg.: using try_first_pass or use_first_pass) for login and encfs (so encfs will mount during your login) then you should use [[SHA password hashes]] (Preferably SHA512 with some huge numer of rounds) and (which is most important) SECURE PASSWORD! because hash of your password is probably stored in unencrypted form in /etc/shadow and it can be cracked in order to get your encfs password (because it's same as your regular unix login password).

+

{{Warning|Note that if you will use same password (eg.: using try_first_pass or use_first_pass) for login and encfs (so encfs will mount during your login) then you should use [[SHA password hashes]] (Preferably SHA512 with some huge numer of rounds) and (which is most important) SECURE PASSWORD! because hash of your password is probably stored in unencrypted form in /etc/shadow and it can be cracked in order to get your encfs password (because it's same as your regular unix login password).}}

====/etc/pam.d/====

====/etc/pam.d/====

−

Note that when you are using '''try_first_pass''' parameter to '''pam_unix.so''' then you'll have to set EncFS to use same password as you are using to login (or vice-versa) and you'll be entering just single password. Without this parameter you'll need to enter two passwords.

+

Note that when you are using '''try_first_pass''' parameter to '''pam_unix.so''' then you will have to set EncFS to use same password as you are using to login (or vice-versa) and you will be entering just single password. Without this parameter you will need to enter two passwords.

=====login=====

=====login=====

−

I am personally not using pam_encfs in login, but only in GDM because i don't expect VC to be user friendly. Anyway you will probably need to debug configuration for login and then migrate it to gdm, because it's faster and easier to debug on console.

+

This section tells how to make encfs automount when you're logging in by virtual terminal.

+

{{Note|If you only want to use it through GDM, you may pass this and go right to the [[EncFS#gdm|GDM section]] below.}}

<pre>

<pre>

#%PAM-1.0

#%PAM-1.0

Line 79:

Line 85:

#session required pam_encfs.so

#session required pam_encfs.so

</pre>

</pre>

−

Note that automatic unmout will process even when there is another session. eg.: logout on VC can unmout encfs mounted by GDM session that is still active (that's why i don't use pam_encfs on console).

+

{{Warning|Note that automatic unmout will process even when there is another session. eg.: logout on VC can unmout encfs mounted by GDM session that is still active.}}

+

=====gdm=====

=====gdm=====

+

This section explains how to make encfs automount when you're logging in by GDM.

+

{{Note|For debug purposes you may try automount on virtual console login first. [[EncFS#login|This article has a section about automount on virtual console login]].}}

+

+

Edit the file '''/etc/pam.d/gdm-password'''

+

+

Insert (do not overwrite) the following into the bottom of gdm-password:

+

<pre>

<pre>

#%PAM-1.0

#%PAM-1.0

Line 95:

Line 109:

session required pam_encfs.so

session required pam_encfs.so

</pre>

</pre>

+

+

+

Save and exit.

+

+

=====Configuration=====

+

Get '''pam_encfs''' from [[AUR]]:

+

<pre>

+

yaourt -S pam_encfs

+

</pre>

+

+

Edit '''/etc/security/pam_encfs.conf''' :

+

+

Recommended: comment out the line

+

<pre>

+

encfs_default --idle=1

+

</pre>

+

This flag will unmount your encrypted folder after 1 minute of inactivity. If you are automounting this on login, you probably would like to keep this mounted for as long as you are logged in.

To test your config, open a new virtual terminal (Control+Alt+F2) and login. You should see pam successfuly mount your EncFS folder.

===Mount at Gnome startup using gnome-encfs===

===Mount at Gnome startup using gnome-encfs===

−

* http://aur.archlinux.org/packages.php?ID=37097

+

* https://aur.archlinux.org/packages.php?ID=37097

===Mount when USB drive with EncFS folders is inserted using fsniper===

===Mount when USB drive with EncFS folders is inserted using fsniper===

−

Simple method to automount (asking for password) encfs when USB drive with EncFS one or more folders in root is inserted. We'll use fsniper (filesystem watching daemon using inotify) and git (for askpass binary).

+

Simple method to automount (asking for password) encfs when USB drive with EncFS one or more folders in root is inserted. We will use fsniper (filesystem watching daemon using inotify) and git (for askpass binary).

−

* http://aur.archlinux.org/packages.php?ID=16677

+

* https://aur.archlinux.org/packages.php?ID=16677

* https://github.com/Harvie/Programs/tree/master/bash/encfs/automount (latest version of files used in following HOWTO)

* https://github.com/Harvie/Programs/tree/master/bash/encfs/automount (latest version of files used in following HOWTO)

Revision as of 21:15, 15 March 2013

EncFS is a userspace stackable cryptographic file-system similar to eCryptfs, and aims to secure data with the minimum hassle. It uses FUSE to mount an encrypted directory onto another directory specified by the user. It does not use a loopback system like some other comparable systems such as TrueCrypt and dm-crypt.

EncFS is definetely the simplest software if you want to try disk encryption on Linux.

This has a number of advantages and disadvantages compared to these systems. Firstly, it does not require any root privileges to implement; any user can create a repository of encrypted files. Secondly, one does not need to create a single file and create a file-system within that; it works on existing file-system without modifications.

This does create a few disadvantages, though; because the encrypted files are not stored in their own file, someone who obtains access to the system can still see the underlying directory structure, the number of files, their sizes and when they were modified. They cannot see the contents, however.

This particular method of securing data is obviously not perfect, but there are situations in which it is useful.

Comparison to eCryptFS

eCryptFS is implemented in kernelspace and therefore little bit harder to configure. You have to remember various encryption options (used cyphers, key type, etc...), in EncFS this is not the case, because EncFS is storing these informations in it's signature so you do not have to remember anything (except the passphrase :-). But it's authors claims that eCryptFS is faster because there is no overhead caused by context switching (between kernel and userspace).

Installation

Usage

To create a secured repository, type:

$ encfs ~/.DIRNAME ~/DIRNAME

This will be followed by a prompt about whether you want to go with the default (paranoid options) or expert configuration. The latter allows specifying algorithms and other options. The former is a fairly secure default setup. After entering a key for the encryption, the encoded file-system will be created and mounted. The encoded files are stored, in this example, at ~/.DIRNAME, and their unencrypted versions in ~/DIRNAME.

To unmount the file-system, type:

$ fusermount -u ~/DIRNAME

To remount the file-system, issue the first command, and enter the key used to encode it. Once this has been entered, the file-system will be mounted again.

Single password

Warning: Note that if you will use same password (eg.: using try_first_pass or use_first_pass) for login and encfs (so encfs will mount during your login) then you should use SHA password hashes (Preferably SHA512 with some huge numer of rounds) and (which is most important) SECURE PASSWORD! because hash of your password is probably stored in unencrypted form in /etc/shadow and it can be cracked in order to get your encfs password (because it's same as your regular unix login password).

/etc/pam.d/

Note that when you are using try_first_pass parameter to pam_unix.so then you will have to set EncFS to use same password as you are using to login (or vice-versa) and you will be entering just single password. Without this parameter you will need to enter two passwords.

login

This section tells how to make encfs automount when you're logging in by virtual terminal.

Note: If you only want to use it through GDM, you may pass this and go right to the GDM section below.

Mount at Gnome startup using gnome-encfs

Mount when USB drive with EncFS folders is inserted using fsniper

Simple method to automount (asking for password) encfs when USB drive with EncFS one or more folders in root is inserted. We will use fsniper (filesystem watching daemon using inotify) and git (for askpass binary).